Re: files in /var/tmp
On Sun, Apr 08, 2007 at 03:44:33PM -0700, Kamaraju Kusumanchi wrote:
> Hi all
>
> Can someone throw some light on as to what does /var/tmp/fast-mech.tgz and /var/tmp/raw directories do?
>
> My system (Debian Etch) has been recently compromised and I deleted most of the suspicious files. However I am not sure about these. Is it safe to delete them or do you think some process expects them to be there?
>
> According to FHS 2.3, files in /var/tmp are preserved across reboots and applications might expect some temp files there. Other than that, I could not find any other info on fast-mech.tgz file and on /var/tmp/raw directory...
>
>
> $ls -al fast-mech.tgz raw
> -rw-r--r-- 1 rajulocal rajulocal 165248 2007-02-04 20:51 fast-mech.tgz
>
> raw:
> total 1348
> drwxr-xr-x 2 rajulocal rajulocal 4096 2007-01-24 02:34 ./
> drwxrwxrwt 6 root root 4096 2007-04-08 18:26 ../
> -rw-r--r-- 1 rajulocal rajulocal 273 2007-01-24 02:30 1
> -rw-r--r-- 1 rajulocal rajulocal 316 2007-01-24 02:30 2
> -rw-r--r-- 1 rajulocal rajulocal 316 2007-01-24 02:31 3
> -rw-r--r-- 1 rajulocal rajulocal 39415 2007-02-28 19:03 Chio.seen
> -rwxr-xr-x 1 rajulocal rajulocal 608374 2005-05-27 15:40 httpd
> -rw-r--r-- 1 rajulocal rajulocal 35268 2007-02-28 19:03 New.seen
> -rw-r--r-- 1 rajulocal rajulocal 1043 2007-02-28 19:03 raw.levels
> -rw------- 1 rajulocal rajulocal 6 2006-12-29 04:44 raw.pid
> -rw-r--r-- 1 rajulocal rajulocal 1043 2007-02-28 19:03 raw.session
> -rw-r--r-- 1 rajulocal rajulocal 1091 2007-01-24 02:34 raw.set
> -rwxr-xr-x 1 rajulocal rajulocal 608374 2005-05-27 15:40 sshd
> -rw-r--r-- 1 rajulocal rajulocal 35861 2007-02-28 19:03 VaLy.seen
>
> $tar tzvf fast-mech.tgz
> drwxr-xr-x piotr/piotr 0 2007-01-24 02:34 raw/
> -rw-r--r-- piotr/piotr 273 2007-01-24 02:30 raw/1
> -rw-r--r-- piotr/piotr 316 2007-01-24 02:30 raw/2
> -rw-r--r-- piotr/piotr 316 2007-01-24 02:31 raw/3
> -rw------- piotr/piotr 6 2006-12-29 04:44 raw/raw.pid
> -rw-r--r-- piotr/piotr 1091 2007-01-24 02:34 raw/raw.set
> -rwxr-xr-x piotr/piotr 608374 2005-05-27 15:40 raw/httpd
>
>
> Any help is greatly appreciated.
>
> raju
>
Looks like someone has put in an extra web-server for you and an sshd to
control it with. Isn't that kind :)
If you wish to pass the machine on to law enforcement or your university
sysadmins for forensic type investigation, do so now and don't touch
anything else. You may also want to look at Helix and Auditor (two
security-oriented Knoppix type releases for security and forensics on
Live CD).
Otherwise: nuke it from orbit. Boot from a copy of knoppix or the Ubuntu
live CD. Use tar to archive anything you really need and scp to copy it
off the infected machine. [Booting from a live CD means that you
shouldn't be using possibly infected binaries on the machine hard disk
itself.]
Use Darik's Boot and Nuke to wipe the disk as thoroughly as you can.
Then re-install with Etch and clean media.
HTH,
Andy
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: